The vulnerabilities were reported to Trend Micro in early September and they were patched in mid-November with the release of version 3.3. The security firm has made available an advisory of its own for the flaws, which are tracked as CVE-2017-11398, CVE-2017-14094, CVE-2017-14095, CVE-2017-14096 and CVE-2017-14097. The vendor has rated only one of the issues as high severity, while the rest are medium severity.

One of the security holes is related to the fact that an attacker could have accessed diagnostic logs without authentication via HTTP. Accessing the log file can allow an attacker to obtain information needed to hijack active user sessions and perform authenticated requests.

Once authentication has been bypassed using the aforementioned flaw, an attacker could have exploited a weakness related to a PHP script that creates cron jobs when scheduling software updates. Core Security has released proof-of-concept (PoC) exploits that show how a hacker could have leveraged this vulnerability to execute arbitrary commands and open a reverse shell using specially crafted requests.

Researchers also found a local file inclusion vulnerability that can lead to remote command execution. This weakness is more difficult to exploit as the attacker needs to set up a fake update server and get the Trend Micro product to download a malicious file from it.

Successful exploitation results in a PHP script being written to the server. The attacker can then include the script using the file inclusion vulnerability and execute it.

In this case, escalating privileges to root is also possible, including via methods disclosed a few months ago by researchers Steven Seeley and Roberto Suggi Liverani, who reported identifying more than 200 vulnerabilities in Trend Micro products. Core Security said several of the privilege escalation vectors disclosed by the experts remain unpatched.

Core researchers also discovered a stored cross-site scripting (XSS) flaw that could have been leveraged to execute arbitrary code whenever a user accessed a specific URL.

Finally, Trend Micro Smart Protection Server was affected by an improper access control issue that exposed the credentials needed to access monitored servers and other information. The credentials were stored in a SQLite database in an encrypted form, but the database could have been accessed without authentication and the encryption key was stored in an unprotect location and could have been downloaded by an unauthenticated user.

This is not the first time Core researchers have found vulnerabilities in a security product. In late June, the company said it had discovered several potentially serious flaws in Kaspersky Lab’s Anti-Virus for Linux File Server product.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.